World IPv6 Launch: this time it’s for real

Like last year, in early June, some of the largest websites in the world will …

As happened during last year's World IPv6 Day, the Internet Society is taking the lead in organizing World IPv6 Launch on June 6, 2012. (Yes, right on the heels of the Venus transit across the disk of the sun.) But unlike last year, after turning on the new version of the Internet Protocol on some of the largest Web properties—and many smaller ones—this year, IPv6 will not be turned off again 24 hours later. So "this time it's for real," and the new protocol will be here to stay at Google, Yahoo, Bing, Facebook, and Cisco, as well as many Akamai and Limelight customers.

Also new this year is that several Internet service providers will be participating by enabling IPv6 for at least one percent of their customers—with more to follow. These ISPs include not only those that have already put a toe in the IPv6 waters before, such as Comcast, Free Telecom in France, and XS4ALL in the Netherlands; but also Time Warner Cable and AT&T. Last but not least, Cisco/Linksys and D-Link will be enabling IPv6 support in the default configurations of their home routers.

Regular readers of Ars already know everything they need to know about IPv6, but the highlights are simple enough: the currently used IPv4 can only handle 3.7 billion addresses, and we're running out of address space: first in Asia, with Europe to follow soon. The new IPv6 has, for all practical purposes, an unlimited number of addresses.

Although there is no plan B for the IPv4 well running dry, IPv6 deployment has been lackluster at best. The Internet Society tried to get some momentum going and flush out unnoticed broken IPv6 setups with last year's World IPv6 Day. The effort was mostly successful, with only a few surprises here and there.

With the exception of the 24 hours during WIPv6D, Google has been using a DNS whitelisting system so only users with known IPv6-friendly ISPs get to see Google's IPv6 addresses, in an effort to avoid issues with those broken IPv6 setups. As of World IPv6 Launch, this will no longer be the case. "Our participation in World IPv6 Launch means that the whitelist will be removed and AAAA records will be generally available," said Google's Lorenzo Colitti. "We may still choose not to return AAAA records to specific networks if our measurements indicate that returning them would cause significant user impact. However, this will be the exception rather than the rule."

Also, the number of home users with IPv6 connectivity will increase as ISPs start rolling out IPv6 to their customers. XS4ALL in the Netherlands has been a pioneer in this area. (Full disclosure: I got started in the Internet business as an intern with XS4ALL in 1995.) "We're going to supply an IPv6 prefix to all newly enabled connections" System administrator Timo Hilbrink told Ars. "This means that as of that moment, every new XS4ALL customer will have a working dual stack (both IPv4 and IPv6) Internet connection out of the box, without having to change any further settings on the CPE (home router) or in the customer portal.

"There used to be issues with the lawful interception capabilities required in the Netherlands regarding the mail servers, but those have been eliminated," Hilbrink added. "Another obstacle for both mail and Web hosting was the lack of high end load balancer platforms that handle IPv6 properly. Late last year we've finally been able to acquire a system that conforms to our requirements, so that hurdle is gone, too."

Until now, XS4ALL had to rely on a partnership with German electronics company AVM to supply so-called FRITZ!box home gateways with an IPv6 configuration profile that works with XS4ALL's service. But with last year's IETF specification and the IPv6 forum's IPv6 Ready CPE (customer premises equipment) test specification, it's now possible to build home routers that will automatically get an IPv6 address block from an ISP that they will then further distribute to computers in the home. "DHCP Prefix delegation, as well as other mechanisms such as 6RD will be supported and activated out of the box," said Cisco director Alain Fiocco. "IPv6 service will be plug and play."

When Apple introduced IPv6 support in their Airport Extreme base stations in 2007, the protocol was enabled by default, which surprised some. We asked whether Apple will be enabling IPv6 on their Airport Extreme base stations and/or on the the main Apple website (www.ipv6.apple.com has been operational since WIPv6D), but we didn't receive any comment by press time.

So what does all of this mean?

One big problem with IPv6 so far has been the "set and forget" issue, where someone sets up IPv6, has a look at the dancing KAME and clicks on an IPv6-only URL or two, and then completely forgets about IPv6. The inevitable result is that, at some point that IPv6 setup breaks and subsequent visits to IPv6-enabled locations incur delays or worse. With the likes of Bing, Yahoo, Facebook, and Google having IPv6 addresses in the DNS, broken IPv6 setups are going to be much more visible, and will be repaired much quicker than they have been until now.

However, even with 5, 25, or as much as 75 percent of the Web being reachable over IPv6, it's still not possible to turn off IPv4 and stop all the workarounds necessary to keep the address-starved protocol running. And one of last year's lessons was that even Web destinations that have their main domain name reachable over IPv6 typically load page elements such as images and scripts from secondary (sub-) domains that are IPv4-only, making the experience for users who only have IPv6 and no IPv4 pretty miserable.

And the Web is actually one of the applications that needs IPv6 the least: the HTTP protocol can withstand NAT as well as translation from IPv4 to IPv6 and proxying without much trouble. The opposite is true of applications like Skype, which have to work very hard to function even in today's firewalled and NATed IPv4 Internet, because in principle, every Skype user must be able to communicate with every other Skype user. So having some of them on IPv4 and some on IPv6 is a challenge, to say the least. And it's a challenge that Skype hasn't taken up so far, despite being on top of the list of applications that users would like to see support IPv6. We asked Skype, now owned by all-around IPv6-friendly (and World IPv6 Launch participant) Microsoft, about its World IPv6 Launch participation, but we didn't get a response by press time.

But despite all the work that still remains to be done, World IPv6 Launch will probably be the biggest step in the right direction so far. The days that "you're the only one asking for it" or "it has no priority" are acceptable answers when asked about IPv6 support are drawing to an end. And hopefully "World IPv4 Decommission" will come around while we're still young enough to enjoy it.

I find your lack of mentioning HAM radio disturbing, but including CB. Especially given your username!

On topic:

I just got ipv6 ready internally on my home and work network. I don't know if my ISP is up for prime time on this yet, but I'll be keeping in touch with them now to find out, now that the big boys on the internet are preparing to throw the switch.

@ClownRazer IPv4 based routers provided a certain amount of protection from the use of NAT, but it wasn't intended as a security feature. IPv6 based routers will need to include properly configured firewalls to control what traffic is allowed to access the computers in the internal network.

By default an IPv6 address is made up of the subnet address and a suffix based on the MAC address. There are methods to ensure the suffix changes over time, but that will depend on your OS. I am on my phone, so I don't have examples to link to at the moment.

Just because IPv6 doesn't necessarily increase security risks, it is probably worth understanding how they differ, so you can be sure you are exposing yourself.

Do the routers that support IPv6 give the devices on the network an internet-facing unique IPv6 address, or is it still a local pool (or do you have the option for either)?

Edit - reading fail. I must have skimmed too fast by the section about the ISP giving out a block to home users. Thanks ;- )

New question though -- does this put home networks at greater risk because of all these directly exposed devices?

A NAT does not provide any security, what provides the security is the firewall that the NAT runs on top of.

Because the address pool is so large, each computer will have more than one internet facing IP. By default, applications will use a randomly generated outgoing IP that gets changed every few minutes. This means that someone cannot connect back into the IP that you used to connect to them.

You will still have a static incoming IP that other may connect to, but without being told what that IP is or having DNS to resolve it, scanning a /64 with a 100Mb/s connection would that thousands of millenia. Window's firewall is actually good now and is quite hardened. The only effective way someone can break into your computers is someone running malware, but firewalls and NATs can't effectively protected against those anyway.

My biggest concern is how secure internet connected appliances will be, but those will probably be running Linux and hopefully have them only accept link local/site connections.

I hope ipv6 starts to take off soon or we just get ipv6 take up from tech savvy people.If your intrested in IPv6 google/wiki tunnelbroker and find a service near you that way you dont have to wait for your ISP to get up to speed.

I just realized how shitty ipv4 decommission day will be for some old games.. Theoretically, the app layer shouldn't care.. but they were probably hard coded to use ipv4 addresses and udp/tcpv4 datagrams.. which will be a damn shame one day.

Just like the removal of IPX/SPX sucked for LAN gaming with some older titles. Starcraft is one of the rare ones that got a TCP/IP stack added years down the road when windows removed IPX/SPX.

I just realized how shitty ipv4 decommission day will be for some old games.. Theoretically, the app layer shouldn't care.. but they were probably hard coded to use ipv4 addresses and udp/tcpv4 datagrams.. which will be a damn shame one day.

Just like the removal of IPX/SPX sucked for LAN gaming with some older titles. Starcraft is one of the rare ones that got a TCP/IP stack added years down the road when windows removed IPX/SPX.

I'm sure by the time that becomes an issue, someone will find a way to emulate IPv4.

I just realized how shitty ipv4 decommission day will be for some old games.. Theoretically, the app layer shouldn't care.. but they were probably hard coded to use ipv4 addresses and udp/tcpv4 datagrams.. which will be a damn shame one day.

Just like the removal of IPX/SPX sucked for LAN gaming with some older titles. Starcraft is one of the rare ones that got a TCP/IP stack added years down the road when windows removed IPX/SPX.

Hamachi. The VPN it creates actually supports both IPv4 and IPv6 already, and can be used over an IPv6 only network. There's lots of other similar software to Hamachi (or just use a generic VPN). You might need a third-party IPv4 'driver' for Windows, but someone will likely be motivated to make one if there's much demand.

Doesn't help that this is pretty much the only ISP in Australia using IPv6 in any capacity...some of the others including Internode's new parent company iiNet are thinking about trials. Telstra makes it available to Ethernet or other directly connected business plans. Internode is fully deployed as IPv6 right to CPE.

And as an aside, the limitations of deployment are pretty much CPE so the Cisco/Dlink announcements are nice - they can join Fritz, Billion, Apple and others in supporting it... OS are all ready. Server side software is a large way there - the only hassle I had is with Jabber server software of all things.

I mean, if people are going to firewall IPv6 just like they do IPv4 (via NAT), then we're still in the same boat as ever, no? Just that instead of the pseudo firewall NAT provides, we're going to have a more regular firewall. Either way, direct connections are most likely going to fail unless the firewall does, like NAT on IPv4, protocol specific port openings.

Finally - I don't want to be tied to my ISP's choice of IP addresses. NAT addresses it nicely - but with IPv6, we're back to the bad old world where if your ISP decides to renumber your network, boom your whole address space inside changes. And of course, your router or other thing may not pick it up, and you'll have some devices working and some not.

Now imagine having to walk your parents through resetting their IPv6 connection properties and other stuff. Fun! And no, there's no remote desktop available because they can't connect!

At least now, when my internet connectivity wanes, it's usually the router - reboot it and things work again. In the IPv6 world, it's reboot router, modem, PC after PC after PC hoping it all works in the end. I'm not that optimistic. And repeating said process when ISP decides to renumber their network.

Perhaps we should do something like NATv6 - something to isolate the "inside" LAN from the WAN connection. If the ISP screws up their numbering scheme and your router loses connection, reboot router. Internal network IPs stay stable and everything...

Oh well. I predict a nice clusterf*ck on IPv6 rollouts when everyone realizes that now they have to start helping everyone when they have connectivity issues. Even worse when IPv6 sites aren't reachable via IPv4 and ISPs get accused of censorship and crap. Especially fun during a renumber (happens at least once a year or so for IPv4 here. I expect same for IPv6).

@ClownRazer IPv4 based routers provided a certain amount of protection from the use of NAT, but it wasn't intended as a security feature. IPv6 based routers will need to include properly configured firewalls to control what traffic is allowed to access the computers in the internal network.

No problem. a statefull firewall with a default drop for incoming traffic and your getting the same effect as a NAT.

The day IPv4 is decommissioned those games will probably have become long irrelevant or there will be 4to6 tunnels or IPv4 VPNs dedicated to them.

IPv4 will be take a long time to die off, possibly as long as the IPv6 uptake has taken so far? Don't forget that many systems will be running in dual stack mode.

I seriously doubt IPv4 will totally die out in our lifetime. There is a lot of infrastructure out there built on it. I suspect that dual-stack will be the norm for the next 15-20 years at least - even if people are running ipv4 behind a NAT and native public ipv6 addresses.

Finally - I don't want to be tied to my ISP's choice of IP addresses. NAT addresses it nicely - but with IPv6, we're back to the bad old world where if your ISP decides to renumber your network, boom your whole address space inside changes. .

No, we're not. I suggest you read up a bit more on how ipv6 works before panicking about the shit hitting the fan.

Your internal network has its own address range, in addition to the public IPs each device gets.

PAT, on the other hand, which everyone uses, does indeed provide a good level of inbound security. If you don't believe me, open a telnet connection to my unsecured server - it's listening on 192.168.1.199. Oh, that's right, that's a private address. OK, my Router is 73.62.185.67.

Bummer the router can't interpret that since there's no inbound established connection... After all, it doesn't know who to forward the telnet session to. It could literally be any address from 192.168.1.1 - 192.168.1.254. The router doesn't know, so the router drops the attempt. No firewall needed.

IPv6, on the other hand, you damn well better have a firewall because every host has a direct path to any other host by default.

It will be hilarious to see people trying to BitTorrent on IPv6, the **AA will have a field day. "No, it wasn't your brother's PC, or that wireless connection from the neighbor, it was *your* PC doing the sharing because we identified your *globally unique* address."

Oh well. I predict a nice clusterf*ck on IPv6 rollouts when everyone realizes that now they have to start helping everyone when they have connectivity issues. Even worse when IPv6 sites aren't reachable via IPv4 and ISPs get accused of censorship and crap. Especially fun during a renumber (happens at least once a year or so for IPv4 here. I expect same for IPv6).

I don't predict any major issues at all. Since you can tunnel IPv4 inside IPv6 and vice-versa, the protocol the ISP uses (and/or the protocol the national carrier uses) can be either one and your PC wouldn't ever notice.

The IPv6 rollout will likely take many times longer than it should, but it won't be very disruptive. Reaching a IPv6-only site with an IPv4-only client would be a pain, but I don't think there will be any of either during the drawn-out transition. I mean, what site would stop hosting a IPv4 mirror? What modern OS doesn't have a dual stack available?

It will be hilarious to see people trying to BitTorrent on IPv6, the **AA will have a field day. "No, it wasn't your brother's PC, or that wireless connection from the neighbor, it was *your* PC doing the sharing because we identified your *globally unique* address."

1. Nah, they will be dual stack. I don't get how they mean here either.2. I don't think encrypted, but certified. As I understood it would be like a background check. If box A said it was #1, the protocol verifies the preceding units that the packets actually came from #1. Still spoof-able but a bit harder.

I'm not sure if "IPsec is mandatory" is even true, but if it is, that means implementing it in IPv6-capable products. NOT using it. The trouble with IPsec is that it requires a complex configuration to work, so in practice nobody uses it, save for VPNs.

I mean, if people are going to firewall IPv6 just like they do IPv4 (via NAT), then we're still in the same boat as ever, no? Just that instead of the pseudo firewall NAT provides, we're going to have a more regular firewall. Either way, direct connections are most likely going to fail unless the firewall does, like NAT on IPv4, protocol specific port openings.

IPv6 firewalls that support uPNP work transparently with apps that already use uPNP to open ports on NATs

tlhIngan wrote:

Finally - I don't want to be tied to my ISP's choice of IP addresses. NAT addresses it nicely - but with IPv6, we're back to the bad old world where if your ISP decides to renumber your network, boom your whole address space inside changes. And of course, your router or other thing may not pick it up, and you'll have some devices working and some not.

Now imagine having to walk your parents through resetting their IPv6 connection properties and other stuff. Fun! And no, there's no remote desktop available because they can't connect!

Link and Site level IPs won't change, only your public IP will change when you change ISPs. Anyway, your IP probably changes with your ISP every few weeks as it is. At least with IPv6, you'll probably get the same prefix when it does change

tlhIngan wrote:

At least now, when my internet connectivity wanes, it's usually the router - reboot it and things work again. In the IPv6 world, it's reboot router, modem, PC after PC after PC hoping it all works in the end. I'm not that optimistic. And repeating said process when ISP decides to renumber their network.

Perhaps we should do something like NATv6 - something to isolate the "inside" LAN from the WAN connection. If the ISP screws up their numbering scheme and your router loses connection, reboot router. Internal network IPs stay stable and everything...

Oh well. I predict a nice clusterf*ck on IPv6 rollouts when everyone realizes that now they have to start helping everyone when they have connectivity issues. Even worse when IPv6 sites aren't reachable via IPv4 and ISPs get accused of censorship and crap. Especially fun during a renumber (happens at least once a year or so for IPv4 here. I expect same for IPv6).

Why would you need to reboot everything when your ISP renumbers? Are you making stuff up again? The real question is, why do you think your ISP will renumber itself?

I'm not sure if "IPsec is mandatory" is even true, but if it is, that means implementing it in IPv6-capable products. NOT using it. The trouble with IPsec is that it requires a complex configuration to work, so in practice nobody uses it, save for VPNs.

I've also been under the impression, that IPSEC *support* was mandatory, since I first read about it back in early 2000.

According to wiki: IPsec was developed in conjunction with IPv6 and must be available in all standards-compliant implementations of IPv6 although not all IPv6 implementations include IPsec support

PAT, on the other hand, which everyone uses, does indeed provide a good level of inbound security. If you don't believe me, open a telnet connection to my unsecured server - it's listening on 192.168.1.199. Oh, that's right, that's a private address. OK, my Router is 73.62.185.67.

Bummer the router can't interpret that since there's no inbound established connection... After all, it doesn't know who to forward the telnet session to. It could literally be any address from 192.168.1.1 - 192.168.1.254. The router doesn't know, so the router drops the attempt. No firewall needed.

IPv6, on the other hand, you damn well better have a firewall because every host has a direct path to any other host by default.

It will be hilarious to see people trying to BitTorrent on IPv6, the **AA will have a field day. "No, it wasn't your brother's PC, or that wireless connection from the neighbor, it was *your* PC doing the sharing because we identified your *globally unique* address."

There are NATs that track state without using a firewall. Those NATs provide no security. Any NAT that does provide security means they also implement a firewall.

NAT itself provides no security, only the firewall it is built on top of. That being said, NAT itself is not a standard, but a hack. There are many different implementations of NAT, and many of those implementations open up security holes.

apple4ever: we'll have to see what ISPs end up supporting in practice. With some luck you'll be able to hook up an Apple Airport Extreme (disable the wifi if you like...) to a cable modem and have it work, but ADSL may be trickier. I would wait for the new Linksys and D-Link products with IPv6 enabled to come out and/or ask your ISP.

Iljitsch van Beijnum / Iljitsch is a contributing writer at Ars Technica, where he contributes articles about network protocols as well as Apple topics. He is currently finishing his Ph.D work at the telematics department at Universidad Carlos III de Madrid (UC3M) in Spain.